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Executive  Summary 

Secure  Solutions,  Inc.  was  tasked  by  the  Space  and  Naval  Warfare  Systems 
Command  (SPAWAR)  to  perform  a  Small  Business  Innovation  Research  (SBIR)  Phase 
II  network  security  research  effort  consisting  of  a  series  of  analyses  to  extend  the  Phase 
I  effort.  This  Final  Report  summarizes  the  results  of  those  analyses.  The  Phase  II  effort 
consisted  of  the  following  tasks: 

•  Task  1  -  Demonstration  of  Phase  I  Concept 

•  Task  2  -  Navy  Security  Standards  and  Applications  Analysis 

•  Task  3  -  Analysis  of  End-to-End  Encryption  and  T raffic  Flow  Confidentiality 

•  Task  4  -  Naval  Network  Security  Requirements  Analysis 

•  Task  5  -  NetWare  Administrator's  Security  Guidance  Handbook 

•  Task  6  -  Provide  Briefings  for  Phase  III  Support  (canceled) 

•  Task  7  -  Participate  in  Security  Groups. 

The  first  four  tasks  focused  on  security  services  and  mechanisrns  in 
communications  protocols,  and  on  communications  security  requirements  in  military 
environments.  In  response  to  changing  needs  of  the  Navy,  Phase  II  was  redirected 
near  it's  end  from  a  technical  perspective  with  a  focus  on  communications  security 
technology  to  a  "hands-on"  perspective  with  a  focus  on  Network  Security  Administration 
for  both  commercial  and  military  Sensitive  Unclassified  environments.  The  NetWare 
Security  Administrator's  Security  Guidance  Handbook  was  the  result  of  that  redirection. 

It  was  recognized  that  Government  and  commercial  organizations  face  a 
common  problem  of  having  trained  personnel  rotate  on  to  new  assignments,  leaving 
inadequately  trained  replacements  to  administer  the  networks.  In  addition,  it  was  noted 
that  many  organizations  which  have  NetWare  Version  3  installed  are  contemplating  the 
migration  to  Version  4,  but  their  administrators  have  not  been  trained  to  manage 
NetWare  Version  4  networks.  The  purpose  of  the  Handbook  was  to  provide  specific 
security  guidance  for  this  group  of  administrators,  including  direction  on  where  to  find 
additional  guidance  on  various  security-related  topics. 

The  importance  of  this  redirection  has  been  recognized  and  will  be  carried  into 
Phase  III  with  the  development  of  a  comprehensive  set  of  network  security 
administration  tools.  In  addition,  the  scope  will  be  broadened  to  include  support  of 
Microsoft  Windows  NT  security  administrators  as  well. 


Hi 


Secure 

Solutions, 

Inc. 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


Septembers,  1995 


This  Page  Intentionally  Left  Blank 


iv 


Secure 

Solutions, 

Inc. 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


Septembers,  1995 


Section  1 
Introduction 


Secure 

Solutions, 

Inc, 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


September  5,  1995 


This  Page  Intentionally  Left  Blank 


Secure 

Solutions, 

Inc. 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


Septembers,  1995 


1.0  Introduction 

This  Final  Report  summarizes  the  results  of  a  series  of  network  security  analyses 
performed  by  Secure  Solutions  under  Phase  II  of  the  Small  Business  Innovation 
Research  (SBIR)  Program  for  the  U.S,  Navy’s  Space  and  Naval  Warfare  Systems 
Command  (SPAWAR)  under  Contract  Number  N00039-93-C-0099,  SBIR  Topic  Number 
N91  -061 ,  "Placement  of  Network  Security  Services  for  Secure  Data  Exchange. " 

The  introduction  describes  the  results  of  the  Phase  I  effort  and  provides  other 
background  information  on  why  this  Phase  II  research  effort  was  initiated,  describes  the 
scope,  objectives,  and  approach  used  in  the  Phase  II  effort,  and  describes  the 
organization  of  the  report. 


1.1  Background 

Naval  Command  and  Control,  Communications  and  Computers,  and  Intelligence 
(C^l)  systems  are  hosted  on  shipboard,  submarine,  shore,  airborne,  and  space 
platforms  and  must  consequently  operate  in  a  variety  of  hostile  environments.  Diverse 
local  area  networks  (LANs),  metropolitan  area  networks  (MANs),  and  wide  area 
networks  (WANs),  as  well  as  client-server  technologies  and  Network  Operating  Systems 
(NOSs),  are  used  to  support  these  C^l  systems.  A  major  thrust  is  to  interconnect  these 
networks  for  the  purpose  of  sharing  information  and  improving  the  survivability  of  the 
overall  network.  To  support  application-level  interoperability  among  C^l  systems  which 
use  these  networks,  the  use  of  a  layered  architecture  is  imperative.  Furthermore,  with 
the  current  migration  from  centralized  host  environments  to  distributed  client-server 
environments,  it  is  imperative  that  a  distributed  approach  to  security  be  adopted. 

Phase  I  of  this  SBIR  effort  focused  on  the  Open  Systems  Interconnection 
Reference  Model  (OSl  RM),  the  most  well-known  framework  for  a  layered  architecture. 
It  is  shown  in  Figure  1-1  and  described  in  the  International  Standards  Organization 
(ISO)  International  Standard  7498  (ISO  7498).  The  Security  Architecture  for  the  OSl 
RM,  described  in  ISO  7498-2,  identifies  five  basic  categories  of  services:  data 
confidentiality,  data  integrity,  authentication,  access  control,  and  non-repudiation. 

The  placement  of  security  services  and  mechanisms  within  the  OSl  Reference 
Model  has  always  been  controversial  because  ISO  7498-2  limits  the  layers  where  they 
may  be  placed.  For  Layer  2,  the  Data  Link  Layer,  it  states  that  only  data  confidentiality 
may  be  provided.  The  IEEE  802.10  LAN/MAN  Security  Working  Group  is  developing 
the  Standard  for  Interoperable  LAN/MAN  Security  (SILS).  SILS  includes  a  description 
of  the  Secure  Data  Exchange  (SDE)  protocol  which  operates  within  Layer  2  and 
supports  data  confidentiality,  data  integrity,  authentication,  and  access  control.  Due  to 
their  efforts,  ISO  is  considering  modifying  the  OSl  Reference  Model  to  include  these 
services  at  Layer  2,  as  shown  in  Figure  1-2. 
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Figure  1-1.  Layered  Architecture  of  the  OSI  Reference  Model 


Legend: 

•  -  ISO  7498-2 
S  -  SILS 


Figure  1-2.  Allocation  of  Security  Services  to  OSI  Layers 
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Simply  resolving  the  differences  between  standards  organizations  will  still  not 
lead  to  an  optimal  placement  of  security  services  among  layers  for  the  Navy.  Optimal 
placement  for  the  Navy  will  only  be  achieved  if  the  placement  of  services  are  primarily 
driven  by  DoD  information  security  (INFOSEC)  assurance  requirements  and  the  greater 
constraints  encountered  in  the  Naval  tactical  environment.  In  this  regard,  it  is  critical 
that  service  placement  selections  be  made  in  a  manner  that  conserves  bandwidth, 
supports  real-time  transmission  requirements,  and  promotes  survivability.  For  these 
reasons,  the  Phase  I  effort  was  undertaken  to  perform  a  thorough  analysis  to  identify 
the  security  services  that  should  be  provided  in  each  of  the  seven  layers  of  the  OSI 
Reference  Model  for  Naval  applications. 


The  Phase  I  effort  produced  the  following  accomplishments: 

•  The  general  services  and  functions  were  described  for  each  OSI  layer 

•  The  security  services  and  mechanisms  to  be  allocated  to  the  various  OSI  layers 
were  defined 

•  Evaluation  factors  for  analyzing  placement  options  were  defined 

•  Security  services  were  allocated  to  the  OSI  layers  using  the  evaluation  factors. 


The  following  conclusions  were  reached  as  part  of  the  Phase  I  effort: 


•  There  is  a  need  for  LAN  security  products  (e.g.,  local  and  remote  bridges) 
implementing  security  services  and  mechanisms  at  Layer  2  of  the  OSI 
Reference  Model.  These  would  support  Naval  mission-specific  requirements 
for  delivery/  response  times 

•  The  U.S.  Navy  needs  to  continue  to  support  national  and  international 
standards  development  activities  to  ensure  that  Navy  mission-specific 
requirements  are  taken  into  account  as  part  of  these  efforts 

•  Both  Type  1  and  Type  2  security  products  are  needed  to  support  Naval 
missions.  The  following  security  products  are  needed: 

-  Secure  local  bridge 

-  Secure  remote  bridge 

-  Secure  LAN  front  end 

-  LAN  Security  cards. 
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1.2  Phase  II  Scope 

Phase  II  was  intended  to  extend  the  work  of  the  Phase  I  effort  by  performing 
demonstrations,  conducting  relevant  follow-on  systems  engineering  efforts,  and  holding 
meetings  with  vendors  to  stimulate  interest  in  the  development  of  LAN  security  products 
to  support  mission-critical  Naval  applications.  The  original  Phase  II  contract  involved 
the  following  work  efforts: 

•  Task  1  -  Demonstration  of  Phase  I  Concept 

•  Task  2  -  Navy  Security  Standards  and  Applications  Analysis 

•  Task  3  -  Analysis  of  End-to-End  Encryption  and  T raffic  Flow  Confidentiality 

•  Task  4  -  Naval  Network  Security  Requirements  Analysis 

•  Task  5  -  LAN  Security  Product  Specifications 

•  Task  6  -  Provide  Briefings  for  Phase  III  Support 

•  Task  7  -  Participate  in  Security  Groups. 

The  Phase  II  effort  began  with  a  focus  on  documenting  emerging 
communications  security  technologies  from  a  technical  perspective  rather  than  from  a 
"hands-on"  Network  Security  Administrator's  perspective.  As  Phase  II  progressed,  it 
was  recognized  that  new  client-server  technologies  and  NOSs  introduced  viable  options 
for  placement  of  security  services  and  mechanisms.  Participation  in  Security  Groups, 
Task  7,  included  participation  in  Internet  Engineering  Task  Force  (IETF)  security 
working  groups.  Through  this  task  and  others,  it  was  noted  that  with  the  rapid 
expansion  of  networking  technologies,  user  connectivity  demands,  and  security 
administrator  options,  Navy  and  commercial  network  security  administrators  needed 
well  defined  recommendations  on  what  security  features  to  activate  and  what  additional 
security  mechanisms  (e.g.,  firewalls)  to  implement  in  their  specific  Naval  environments. 

In  response  to  these  changing  needs  of  the  Navy,  Secure  Solutions,  Inc. 
redirected  the  Phase  II  work  effort.  Tasks  1, 2,  3,  4,  and  7  had  already  been  completed 
prior  to  the  redirection.  Tasks  5  and  6  were  canceled  and  replaced  with  a  new  Task  5: 

•  Task  5  (redirection)  -  NetWare  Administrator's  Security  Guidance  Handbook. 
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1.3  Phase  II  Objectives 

The  technical  objectives  for  Phase  II,  including  consideration  for  the  redirection  of 
Task  5,  were  to: 

•  Determine  quantitatively  if  the  implementation  of  security  protocols  at  lower  OSI 
layers  in  relays  (or  front  ends)  will  significantly  reduce  delivery  time  across  a  LAN 
internetwork 

•  Consider  what  security  functions  and  services  should  be  standardized  to  support 
network  applications,  assess  which  security  services  should  be  allocated  to  the 
communications  protocol  stack,  review  the  status  of  standardization  in  both 
commercial  and  Government  sectors,  and  report  the  findings  and  provide 
guidance  to  system  designers  concerning  identification  of  security  mechanisms 
that  implement  the  security  services,  placement  of  those  mechanisms,  and 
implementation  of  the  security  standards 

•  Determine  the  extent  of  potential  traffic  flow  information  leakage  due  to  the  use  of 
protocol  control  information  that  is  not  encapsulated  when  end-to-end  encryption 
is  used,  and  discuss  the  merits  of  the  solutions  to  counter  those  vulnerabilities 

•  Identify  the  high-level  security  implementation  requirements  for  Navy  networks  so 
that  future  studies  can  focus  on  the  strengths  and  deficiencies  of  security 
products  and  identify  areas  where  additional  security  products  are  needed 

•  Provide  consolidated,  concise,  and  easy  to  read  security  guidance  on  Novell 
NetWare  to  acquaint  management  and  new  network  administrators  with  all  major 
security  issues  and  provide  pointers  to  more  in-depth  documentation  on  each 
subject  so  they  will  be  able  to  take  the  correct  steps  to  counter  any  threats  that 
may  arise 

•  Participate  in  Navy,  U.S.  Government,  and  International  working  groups  to 
develop  recommendations  for  selecting  security  services  in  Navy  systems,  with 
an  emphasis  on  the  Navy  Integrated  C^l  Security  Architecture. 


1.4  Phase  II  Approach 

This  study  was  accomplished  by  performing  the  following  tasks: 

•  Demonstration  of  Phase  I  Concept  -  Work  with  Naval  Command,  Control,  and 
Ocean  Surveillance  Center's  RDT&E  Division  (NRaD),  Naval  Research 
Laboratory  (NRL),  and  Naval  Surface  Warfare  Center  (NSWC)  to  define  a 
network  configuration  for  evaluating  delivery  time,  develop  a  mathematical  model 
for  computing  delivery  time,  and  search  for  relevant  sources  to  provide  a 
demonstration  of  security  services  most  suited  to  Navy  systems 
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•  Security  Standardization  -  Review  recent  security-related  studies  and  Naval 
computer  and  telecommunications  architectures  contemplated  for  the  future  in 
order  to  understand  the  specific  needs  of  the  Navy,  and  interview  members  of 
standards  bodies  and  review  standards  to  assess  their  progress  and  to  consider 
whether  the  required  security  services  and  functions  have  been  provided 

•  Traffic  Flow  Confidentiality-  Analyze  end-to-end  encryption  (E^)  and  traffic  flow 
confidentiality  options  and  recommend  options  to  enhance  security  in  various 
environments 

•  Requirements  Analysis  -  Conduct  requirements  definition  and  systems 
engineering  studies  of  the  DoD  Goal  Security  Architecture  (DGSA),  Multilevel 
Information  Systems  Security  Initiative  (MISSI),  and  Integrated  C^l  Architecture 
to  define  Navy  mission-specific  needs  for  network  security 

•  NetWare  Security  Guidance  -  Review  Novell  NetWare  security  features  and 
deficiencies,  assess  their  impact  on  commercial  and  Navy  Type  2  (Sensitive 
Unclassified)  processing  environments,  review  related  third-party  support 
products,  and  report  the  findings  in  a  NetWare  Administrator's  Security  Guidance 
Handbook 

•  Security  Working  Groups  -  Participate  in  security  working  groups,  including  the 
American  National  Standards  Institute  Accredited  Standards  Committee  for  Open 
Systems  Security  (Task  Group  X3T5.7),  IEEE  Security  Working  Group  for 
Standard  Interoperable  LAN/MAN  Security  (IEEE  802.10),  and  the  Internet 
Engineering  Task  Force  Security  Area  working  groups. 

1.5  Report  Organization 

The  main  body  of  the  report  is  organized  as  follows: 

•  Section  1  -  Introduction 

•  Section  2  -  Summary  and  Conclusions  of  Phase  II  Effort 

•  Section  3  -  Proposed  Direction  for  Future  Work  Efforts 

The  following  appendices  are  provided  to  supplement  the  main  body: 

•  Appendix  A  -  Acronyms 

•  Appendix  B  -  References. 
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2. 0  Summary  and  Conclusions  of  Phase  II  Effort 

Phase  II  consisted  of  six  tasks,  as  discussed  in  Section  1.  The  first  four  tasks 
resulted  in  technical  reports,  the  fifth  task  resulted  in  a  security  handbook,  and  the  last 
task  (Task  7)  resulted  in  a  series  of  trip  reports  on  the  security  working  group  meetings 
attended.  Discussions  of  the  background,  conclusions,  and  recommendations  for  each 
task  are  provided  in  the  following  paragraphs. 

2.1  Task  1:  Demonstration  of  Phase  I  Concept 

The  Phase  I  effort  made  the  qualitative  observation  that  the  delivery  time  through 
a  secure  relay  (or  secure  front  end)  could  be  improved  (reduced)  if  the  security  protocol 
is  implemented  at  a  lower  layer  within  these  components.  Task  1  of  the  Phase  II  effort 
demonstrated  quantitatively  how  much  delivery  times  can  be  improved  (reduced)  by 
implementing  security  protocols  at  lower  OSI  layers  in  relays  (or  front  ends).  The 
approach  described  three  variations  of  an  internetwork  model  consisting  of  two  802.3 
LANs  interconnected  through  a  backbone  Fiber  Distributed  Data  Interface  (FDDI)  LAN. 
The  variations  involved  three  different  types  of  secure  relays  -  bridges,  routers,  and 
transport  protocol  converters  -  which  interconnect  the  802.3  LANs  with  the  FDDI  LAN. 
Each  relay  uses  different  types  of  security  protocols  at  different  OSI  layers:  the  Secure 
Data  Exchange  (SDE)  protocol  at  Layer  2;  Security  Protocol  3  (SP3)  or  the  Network 
Layer  Security  Protocol  (NLSP)  at  Layer  3;  and  Security  Protocol  4  (SP4)  or  the 
Transport  Layer  Security  Protocol  (TLSP)  at  Layer  4. 

Conclusions  regarding  the  impact  on  host-to-host  delivery  time  as  a  function  of 
where  security  protocols  are  placed  within  OSI  layers  were  as  follows: 

•  Latency  is  a  function  of  distance  between  sender  and  receiver  and  the  number  of 
protocol  stacks  that  must  be  traversed.  It  is  also  a  function  of  the  amount  of  time 
needed  to  access  a  shared  service.  Latency  in  the  intermediate  nodes  is  a  func¬ 
tion  of  how  high  in  the  protocol  stack  the  data  must  go  before  it  goes  back  down 

•  Providing  end-to-end  security  services,  as  opposed  to  link  security  services, 
improves  (reduces)  delivery  time  because  security  encapsulation  and 
decapsulation  functions  are  only  performed  at  the  source  and  destination  host. 
When  link  security  services  are  used,  security  encapsulation  and  decapsulation 
functions  are  performed  repeatedly,  thereby  increasing  the  host-to-host  delivery 
time  for  a  given  network  configuration 

•  If  security  services  are  used  in  the  intermediate  nodes,  there  will  be  additional 
latency  due  to  security  processing  in  both  halves  of  each  intermediate  node 
stack.  If  the  security  processing  has  to  be  in  a  layer  higher  than  the  intermediate 
node  would  otherwise  use  to  perform  its  normal  functions,  then  additional  latency 
is  added  due  to  having  to  process  higher  layers  in  the  intermediate  nodes'  stacks 

•  Intermediate  node  security  services  are  not  needed  for  end-to-end  data  security, 
but  are  needed  for  traffic  flow  security  when  it  is  implemented  in  the  lower  layers. 
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The  following  recommendation  was  made  from  the  standpoint  of  delivery  time 
evaluation: 

•  Whenever  possible,  the  Navy  should  provide  end-to-end  security  services  by 
implementing  security  protocols  within  hosts  at  the  top  of  layer  three  or  higher. 
This  will  minimize  the  host-to-host  delivery  time  in  comparison  with  providing  link 
security  services. 

Task  1  identified  potential  sources  which  can  be  used  to  qualitatively  determine 
the  improvement  in  delivery  time  through  the  three  variations  of  a  LAN  internetworks. 

2.2  Task  2:  Navy  Security  Standards  and  Applications  Analysis 

It  is  through  standards  that  the  computer  and  communications  industry  can 
achieve  the  goal  of  interoperability,  and  it  is  through  security  standards  that  can  this 
goal  can  be  met  in  a  secure  manner.  To  better  understand  why  security  standards  are 
needed  in  supporting  the  development  of  secure  computer  and  network  systems,  and 
the  types  of  standards  that  are  needed.  Task  2  produced  the  following 
accomplishments: 

•  Reviewed  recent  security  studies  on  distributed  processing  and  military  telecom¬ 
munications  architectures  in  order  to  determine  what  security  functions  and 
services  should  be  standardized  to  support  computer  network  applications 

•  Reviewed  security  guidance  documents  and  standards  and  determined  the 
status  of  those  standards 

•  Described  security  mechanisms  that  can  be  implemented  to  provide  the  security 
services  specified  by  the  standards.  The  services  include  authentication,  access 
control,  audit  and  accountability,  confidentiality,  integrity,  non-repudiation,  and 
service  assurance.  The  mechanisms  include  peer  address  checking,  challenge- 
response  exchanges,  certification  authorities,  discretionary  and  mandatory 
access  controls,  digital  signatures,  notary  services,  encipherment,  traffic  padding, 
integrity  check  values,  sequence  numbering,  timestamps,  and  redundancy 

•  Suggested  additional  factors  concerning  the  choice  and  placement  of  network 
security  mechanisms  that  must  be  considered  when  evaluating  architectural 
alternatives  for  secure  computer  and  communications  systems. 

The  following  conclusions  were  reached  as  part  of  the  Task  2  effort: 

•  Technological  Advances  -  Networking  is  evolving  faster  than  any  other  area  of 
automation.  As  a  result,  an  insatiable  demand  for  even  greater  capabilities  has 
developed.  Developers  have  responded  with  more  powerful,  more  reliable,  and 
more  secure  communications  technologies  and  products.  Improvements  include: 
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-  Bandwidth  -  Fiber  optic  media  has  emerged  as  the  technology  of  the  future, 
because  it  can  support  broad  bandwidths  at  reasonable  costs.  FDDI 
incorporates  dual  counter-rotating  fiber  optic  rings  to  provide  high  bandwidth 
for  local  area  network  communications.  The  Distributed  Queue  Dual  Bus 
(DQDB)  subnetwork  of  a  metropolitan  area  network  incorporates  dual  fiber 
optic  rings  to  provide  the  Switched  Multi-megabit  Data  Service  (SMDS).  The 
Broadband  Integrated  Services  Digital  Network  (B-ISDN)  incorporates  cell- 
relay-based  Asynchronous  Transfer  Mode  (ATM)  and  Synchronous  Optical 
Network  (SONET)  to  provide  high-performance  multimedia  wide  area  network 
communications 

-  Multimedia  -  Network  providers  are  combining  telephony,  cable  broadcasting, 
and  digital  transmissions.  Multimedia  capabilities  will  change  the  way  the 
Navy  accomplishes  its  missions.  Multimedia  is  identified  as  the  basis  for  the 
Command  Global  Information  Exchange  System  (GLOBIXS)  network  of  the 
Integrated  C^l  Architecture.  Interactive  video  applications  and  video 
conferencing  are  expected  to  become  common  activities 

-  Enterprise  hubs  -  Enterprise  hubs  introduce  switched  buses  which  offer 
significant  speed  and  security  benefits  that  cannot  be  realized  on  the 
traditional  contention-based  broadcast  LAN 

-  Wireless  LAN  -  This  technology  is  evolving  due  to  the  success  of  the  portable 
computer  and  the  cellular  telephone.  Demand  has  created  a  market  and  that 
market  is  motivating  developers.  Wireless  LANs  will  provide  flexibility  for 
Government  agencies,  but  pose  new  challenges  with  respect  to  security 

-  Multilevel  Security  -  From  a  security  perspective  for  the  military,  the  most 
important  development  efforts  are  in  the  area  of  multilevel  processing. 
Standards  bodies  and  system  developers  are  well  aware  of  the  need  to  label 
subjects  and  objects  and  to  base  access  control  decisions  on  those  labels. 
Automation  will  someday  (probably  no  less  than  10  years)  be  capable  of 
allowing  cleared  and  uncleared  users  to  share  the  same  resources  across 
multilevel  networks.  The  user  community  would  have  more  freedom  to 
operate  automated  systems  in  less  secure  environments  since  they  would  be 
assured  that  the  computers  and  networks  can  provide  the  necessary  security. 

•  Status  of  Standards  -  Security  standards  for  most  areas  are  relatively  new, 
though  there  is  a  significant  commitment  within  industry  and  government  toward 
developing  and  implementing  standards.  Most  security  standards  have  not  yet 
been  widely  implemented,  and  are  therefore  not  stable.  Vendors  hesitate  to 
implement  products  based  on  draft  standards.  Even  when  standards  are 
finalized,  they  are  not  stable.  Stability  comes  when  the  standards  have  been 
implemented  and  there  is  little  technological  pressure  to  change  them.  Since 
many  of  the  international  standards  are  not  stable,  existing  standards  that  are 
more  widely  implemented  may  be  used  in  the  interim. 
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•  Naval  Environment  -  Studies  concerning  the  architecture  and  security 
implications  for  four  Naval  systems  were  reviewed.  They  were: 

-  Battle  Management  Command  and  Control  System 

-  Submarine  Command  System 

-  Integrated  Interior  Communications  and  Control  (iC)2 

-  Integrated  C^l  (formerly  Copernicus)  and  supporting  communications  systems. 

Required  security  services  were  identified  and  generally  found  to  conformed  to 
those  that  apply  to  all  networked  or  distributed  systems.  Furthermore,  the 
specific  mechanisms  that  are  required  for  the  Navy  systems  are  those  that  are 
commonly  used.  Figure  2-1  summarizes  the  security  services  and  mechanisms 
suggested  in  the  various  studies  and  also  indicates  that  standardization  efforts 
have  addressed  provisions  for  all  of  the  identified  services  and  mechanisms. 


Figure  2-1.  Required  vs.  Provided  Security  Services  and  Mechanisms 


•  Security  Mechanisms  -  Network  security  mechanisms  are  categorized 
according  to  the  following  security  services,  as  shown  in  Figure  2-2: 

-  Authentication 

-  Access  Control 

-  Audit  and  Accountability 

-  Confidentiality 

-  Integrity 

-  Non-Repudiation 

-  Service  Assurance. 
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Authentication 

Confidentiality 

•  Peer  Address  Checking 

•  Physical  Protection 

•  Authentication  Exchange 

-  Isolation 

-  Passwords 

-  Selective  Routing 

—  Supporting  Devices 

•  Information  Hiding 

-  Hand-held  devices 

—  Symmetric  Encipherment 

-  Smart  cards 

—  Asymmetric  Encipherment 

-  Biometric  readers 

-  Traffic  Padding 

“*  Chailenge-Response 

•  Partial  Accessibility 

-  Symmetric  Encipherment 

—  Internal  Fragmentation 

-  Asymmetric  Encipherment 

-  Data  Scattering 

•  Certification  Authority 

•  Continuity  of  Authentication 

Access  Control 

Integrity 

•  System-Oriented  Access  Control 

•  Error  Detection 

—  Object  Reuse 

—  Error  Detection  Codes 

"  Trusted  Path 

-  Integrity  Check  Values  (ICV) 

~  Connection  Timeout 

—  Message  Digests 

•  Discretionary  Access  Control 

•  Encryption  for  Integrity 

—  Access  Control  Lists 

—  Cryptographic  Seal 

—  Capabilities 

—  Digital  Signature 

—  Authentication  Server 

•  Sequence  Protection 

•  Mandatory  Access  Control 

—  Sequence  Numbers 

-  Security  Labels 

-  Cryptographic  Chaining 

-  Routing  Control 

-  Timestamps 

riGTISCXiOn  lDIXS 

Audit  and  Accountability 

"■  Source  Addresses 

•  Audit  Mechanism 

•  Alarm  Mechanism 

Service  Assurance 

Non-Repudiation 

•  Redundant  Components 

•  Digital  Signature 

•  Fault  Tolerance 

•  Notary  Service 

•  Priority  Processing 

Figure  2-2.  Generic  Security  Mechanisms 


Secure 

Solutions, 

Inc, 


2-5 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


September  5, 1995 


2.3  Task  3:  Analysis  of  End-to-End  Encryption  and 
Traffic  Flow  Confidentiality 

The  use  of  end-to-end  encryption  (E^)  services  in  internetworks  where  the 
trustworthiness  of  intermediate  subnetworks  is  not  provided  is  a  critical  capability  for  the 
Navy.  The  data  to  be  transferred  from  the  source  host  to  the  destination  host  can  be 
encrypted  at  the  source  and  not  be  decrypted  until  it  reaches  the  destination. 
Advantages  of  using  end-to-end  encryption  in  internetworks  could  include  the  flexibility 
to  connect  classified  hosts  to  commercial  networks.  Even  if  the  data  traverses 
subnetworks  or  components  that  are  not  trustworthy,  the  data  still  retains  its  assurance 
of  confidentiality  so  long  as  the  encryption  keys  are  not  compromised  and  the 
encryption  algorithm  is  sufficient  to  preclude  a  cryptanalytic  attack. 

Although  end-to-end  encryption  protects  the  user  data  from  observation,  it  does 
not  safeguard  against  traffic  flow  leakage  from  protocol  headers  that  are  applied  after 
the  end-to-end  encryption  is  performed.  Security-relevant  information  that  may  be 
available  in  the  headers  or  derived  from  the  headers  includes  source  and  destination 
addresses,  priorities,  security  labels,  message  lengths,  transmission  frequencies, 
sequence  numbers,  flow  control  information,  message  routing  lists,  lifetime  of  the 
protocol  data  unit  (PDUs),  and  checksums.  It  is  necessary  to  determine  the  extent  of 
the  vulnerabilities  associated  with  sending  headers  in  the  clear  in  order  to  eliminate  or 
reduce  the  traffic  flow  confidentiality  problem.  The  nature  of  this  information  provides  a 
basis  for  determining  the  advantages  and  disadvantages  of  providing  traffic  flow 
confidentiality  services  at  the  lower  layers  after  the  headers  have  been  applied. 

Task  3  analyzed  protocol  control  information  (PCI)  associated  with  LAN  and 
WAN  communication  protocols  and  assessed  what  information  can  be  derived  from  the 
protocol  headers  through  traffic  analysis,  which  is  the  inference  of  information  from 
observation  of  traffic  flows  (e.g.,  their  presence,  absence,  amount,  direction,  route, 
frequency,  time  of  transfer,  length,  and  other  security-relevant  information). 

The  report  described  the  utility  of  traffic  flow  confidentiality  options  that  may  be 
employed  to  reduce  the  risk  of  exposure  to  traffic  analysis.  The  primary  measure  to 
implement  traffic  flow  confidentiality  is  the  prevention  of  direct  observation  of 
information.  This  is  accomplished  with  a  confidentiality  service,  i.e.,  through  the  use  of 
encryption  for  most  networks  or  a  protected  distribution  system  for  some  links  of  a 
network.  In  addition,  the  ability  for  an  adversarial  traffic  analyst  to  derive  information 
must  be  prevented.  This  is  accomplished  through  the  insertion  of  dummy  traffic,  data 
padding,  route  control,  data  unit  segmentation,  address  hiding,  and  timing  techniques. 
The  padding  mechanisms  must  be  implemented  before  the  confidentiality  mechanisms 
in  order  to  be  effective. 
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The  major  conclusions  of  Task  3  were: 

•  In  most  environments,  the  implementation  of  traffic  flow  confidentiality  is 
unwarranted  due  to  the  processing  overhead  associated  with  its  use 

•  In  those  cases  where  traffic  flow  confidentiality  is  warranted,  it  may  be  advisable 
to  implement  a  combination  of  mechanisms  at  different  layers.  The  OSI  Security 
Architecture,  ISO  7498-2,  identifies  the  layers  at  which  traffic  flow  confidentiality 
can  be  provided:  the  Application  Layer,  Network  Layer,  and  Physical  Layer 

•  Implementation  of  traffic  flow  confidentiality  at  the  Application  Layer  will  allow  the 
user  to  be  selective.  In  addition,  this  provides  end-to-end  (user-to-user)  service. 
By  implementing  traffic  flow  confidentiality  at  a  lower  layer,  traffic  flows  for  the 
End  System  as  a  whole  can  be  masked 

•  Data  padding  performed  at  the  Application  Layer  is  the  first  step  in  effectively 
concealing  message  sizes  and  types.  Data  padding  can  also  be  accomplished  at 
the  Transport,  Network,  and  Data  Link  Layers,  perhaps  with  less  impact  because 
it  would  not  be  applied  to  individual  applications.  NLSP  is  the  only  protocol  that 
is  specifically  designed  to  perform  data  padding  for  traffic  flow  confidentiality 

•  When  padding  is  accomplished  at  the  Application  Layer,  encipherment  will  be 
accomplished  at  the  Presentation  Layer  after  context  translation.  When  padding 
is  accomplished  at  the  Network  Layer,  encipherment  can  be  accomplished 
immediately  after  by  the  same  protocol  entity 

•  SDE  can  be  used  at  the  Data  Link  Layer  to  encapsulate  Connectionless  Network 
Protocol  (CLNP)  and  Logical  Link  Control  (LLC)  headers  on  LANs.  Although  ISO 
7498-2  does  not  call  for  traffic  flow  confidentiality  services  at  the  Data  Link  Layer, 
SDE  can  provide  limited  traffic  flow  confidentiality  within  a  LAN,  or  across 
multiple  LANs  connected  by  remote  bridges.  What  remains  exposed  to 
observation  by  other  nodes  on  the  LAN  are  the  Media  Access  Control  (MAC) 
addresses,  and  time  and  frequency  of  transmission.  Since  SDE  cannot  be 
implemented  with  WAN  protocols,  X.25  and  Link  Access  Procedures-B  (LAPB) 
headers  expose  information  that  can  only  be  protected  at  the  Physical  Layer 

•  Traffic  padding  can  generate  dummy  traffic  between  two  End  Systems  or  any 
segment  of  a  network  to  help  camouflage  heavy  traffic  loads.  While  traffic 
padding  is  an  important  traffic  flow  confidentiality  mechanism,  it  incurs  much 
overhead  because  connections  must  be  padded  to  near  capacity  in  order  to 
conceal  when  peak  traffic  actually  exists 

•  Segmentation  with  encryption  conceals  the  original  size  of  data  units  formed  by 
application  processes.  Segmentation  is  performed  by  some  Application  Layer 
protocols.  Transport  Protocol  Classes  4  (TP4)  and  1  (TP1),  NLSP,  CLNP,  X.25, 
and  SDE 
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•  Timing  techniques  to  delay  low  priority  messages  can  be  employed  when  there  is 
heavy  traffic  so  the  load  appears  to  stay  at  an  even  level 

•  Route  control,  provided  by  CLNP,  is  an  effective  support  mechanism  to  help 
ensure  that  traffic  is  not  routed  over  insecure  subnetworks  or  components.  It  can 
also  be  used  to  disperse  PDUs  and  PDU  segments  over  diverse  paths. 
However,  traffic  analysts  may  still  be  able  to  infer  when  there  is  a  high  volume  of 
traffic  between  two  particular  hosts  if  addresses  or  PDU  types  can  be  identified, 
even  though  they  cannot  observe  the  full  load.  Route  control  requires  the  use  of 
additional  fields  in  the  PDU  to  explicitly  identify  the  path  to  be  traversed.  If  a 
security  protocol  is  used  to  encapsulate  the  CLNP  header,  an  additional  CLNP 
protocol  header  may  be  needed  below  the  security  protocol  to  implement  route 
control  over  the  untrusted  portion  of  the  internetwork.  For  these  reasons,  there  is 
significant  overhead  associated  with  route  control.  Routing  control  also 
introduces  security  risks  which  may  outweigh  the  benefits  of  its  use 

•  CLNP  headers  contain  information  that  a  traffic  analysts  can  use  to  recognize 
when  particular  activities  are  underway  at  the  source  and  destination 
organizations.  Therefore,  it  is  preferable  to  implement  NLSP  or  SP3  below  CLNP 
in  environments  where  the  security  protocol  peer  entities  are  End  Systems  so  the 
actual  addressee  can  be  hidden 

•  Another  reason  for  implementing  NLSP  or  SP3  below  CLNP  is  that  CLNP  has  a 
lifetime  field  (i.e.,  expiration  counter)  in  the  header  that  is  decremented  by  each 
Intermediate  System  and  used  to  eliminate  expired  PDUs  from  the  network.  An 
adversary  could  modify  the  lifetime  field  in  order  to  flood  a  network  or  to  cause 
messages  to  expire  before  they  arrive  at  their  destination  and  still  maintain  the 
normal  traffic  flow  out  of  the  adversarial  station 

•  FDDI  can  be  protected  by  physical  means  or  through  full  period  encryption  on 
each  point-to-point  link 

•  Carrier  Sense  Multiple  Access  with  Collision  Detection  (CSMA/CD)  can  be 
partially  protected  with  full  period  enciyption,  but  the  preamble  and  starting 
delimiter  must  be  sent  in  the  clear  to  achieve  bit  and  frame  synchronization 

•  Full  traffic  flow  confidentiality  can  only  be  provided  at  the  Physical  Layer  in 
certain  circumstances:  two-way  simultaneous  (full-duplex),  synchronous,  point- 
to-point  transmission.  Full  traffic  flow  confidentiality  is  not  effective  against  active 
threats  unless  integrity  mechanisms  are  also  utilized  in  a  cooperative  manner 

•  A  mechanism  that  offers  a  high  degree  of  protection  from  wiretapping  of  the  link 
between  two  remote  bridges  which  are  in  close  proximity  is  a  Protected 
Distribution  System  (PDS).  However,  a  PDS  would  not  protect  traffic  from 
observation  by  other  stations  on  a  LAN.  Full  period  encryption  provides  a  similar 
service  when  the  remote  bridges  are  geographically  remote. 
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The  recommendations  of  the  Task  3  study  were: 

•  Implement  traffic  flow  confidentiality  mechanisms  only  when  absolutely 
necessary  because  they  require  significant  overhead  and  may  cause  network 
congestion 

•  Consider  implementation  of  a  combination  of  mechanisms  at  different  layers 

•  When  traffic  flow  confidentiality  is  deemed  necessary,  the  protocol  stack  should 
primarily  include  traffic  flow  confidentiality  at  the  Network  Layer  for  internetwork 
traffic,  and  at  the  Data  Link  Layer,  when  possible,  for  traffic  contained  within  the 
LAN 

•  Traffic  flow  confidentiality  on  a  link  basis  should  be  more  widely  implemented  for 
the  links  that  connect  End  Systems  to  an  internetwork.  This  can  be  implemented 
most  robustly  using  full  period  encryption.  An  alternative  that  is  feasible  for  some 
sites  is  to  use  physical  security  measures  such  as  a  PDS 

•  Avoid  the  use  of  route  control  for  traffic  flow  confidentiality  due  to  excessive 
overhead  associated  with  its  use,  the  need  for  two  CLNP  headers  when  a 
security  protocol  is  applied  below  the  upper  CLNP  header,  and  security  risks  that 
accompany  its  use 

•  When  deciding  whether  to  implement  confidentiality  services  at  the  Network  or 
Data  Link  Layers,  system  architects  must  consider  what  type  of  network  is 
involved.  In  a  WAN,  subnetworks  and  routing  are  implemented  at  the  Network 
Layer.  Similar  subnetwork  and  routing  functions  are  exhibited  at  the  Data  Link 
Layer  in  LANs.  For  these  reasons,  the  following  layer  placement  options  for 
traffic  flow  confidentiality  are  recommended: 

-  Application  Layer  -  Appiication  Layer  traffic  padding  mechanisms  should  be 
reserved  for  those  sites  or  applications  that  are  determined  to  have  traffic 
profiles  which  can  be  used  to  infer  classified  missions  or  information.  When 
an  application  processes  classified  information  that  is  highly  desired  by  an 
adversary  and  that  information  is  transmitted  over  an  internetwork  where  the 
adversary  may  have  an  opportunity  to  observe,  modify,  or  delay  the 
information,  a  data  padding  mechanism  should  be  placed  in  the  Application 
Layer  to  disguise  the  message  type  and  size.  Timing  techniques  should  be 
implemented  in  the  application  process  to  delay  low  priority  traffic  during  peak 
traffic  periods  and  dummy  traffic  should  be  generated  during  low  traffic  load 
periods  so  that  high  loads  cannot  be  identified 

_  Presentation  Layer  -  end-to-end  encryption  should  be  applied  in  conjunction 
with  the  traffic  padding  mechanism  in  the  Application  Layer 
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-  Network  Layer  -  Network  Layer  mechanisms  can  be  applied  to  traffic 
originating  from  a  broad  range  of  applications  on  the  host  and  are  less  costly 
to  implement  than  if  they  were  implemented  in  each  application  process  or 
protocol.  If  a  single  Application  Service  Element  (ASE)  or  operating  system 
utility  is  used  to  protect  all  application  processes,  then  implementation  costs 
will  be  comparable.  Data  padding,  end-to-end  encryption,  and  the  generation 
of  dummy  traffic  should  be  performed  at  the  Network  Layer  for  most 
environments,  particularly  when  it  is  necessary  to  camouflage  all  traffic 
between  two  hosts  or  a  set  of  hosts.  The  use  of  dummy  traffic  at  the  Network 
Layer  should  be  limited  to  hosts  that  require  strong  traffic  flow  confidentiality 
so  that  the  network  does  not  become  overly  congested.  In  most  cases,  it 
would  be  better  to  generate  dummy  traffic  at  the  Data  Link  Layer  for 
dedicated  links  between  two  stations 

Additional  protocol  options  that  could  be  implemented  at  the  Network  Layer 
include  segmentation,  disbursement  of  the  segments,  and  route  control. 
Route  control  can  only  be  implemented  at  the  Network  Layer.  These 
mechanisms  have  much  less  impact  on  network  performance  than  does  the 
generation  of  dummy  traffic  and  should  be  used  when  portions  of  the  network 
are  outside  the  controlled  environment 

-  Data  Link  Layer  -  The  generation  of  dummy  traffic  across  the  link  between  a 
DTE  and  a  DCE  should  be  used  to  hide  the  true  traffic  load  to  and  from  the 
End  System  without  causing  congestion  on  the  network.  Timing  techniques 
should  be  implemented  on  the  same  links  as  well,  and  for  the  same  reasons 

The  segmentation,  data  padding,  and  encapsulation  capabilities  of  SDE  can 
be  used  on  LANs  to  hide  PCI  from  other  stations  that  are  authorized  to 
connect  to  the  LAN  when  pairwise  unique  keys  are  employed  between 
stations.  SDE  is  also  effective  between  multiple  LANs  connected  by  local  or 
remote  bridges  and  can  be  used  to  provide  end-to-end  encapsulation  within  a 
LAN  internetwork 

-  Physical  Layer  -  Full  period  encryption  should  be  used  to  protect  individual 
point-to-point  links.  In  particular,  full  period  encryption  should  be  used  on 
links  between  remote  bridges  that  are  outside  of  protected  enclosures  and 
protected  paths 

-  Physical  Installation  -  A  protected  distribution  system  should  be  installed  to 
protect  cables  that  traverse  areas  that  are  not  protected  at  the  level  of  the 
data  being  carried  on  the  network.  For  example,  if  two  shipboard  LANs  are 
installed  in  areas  of  a  ship  that  are  not  adjacent,  the  cable  connecting  the 
remote  bridges  should  be  protected  by  a  PDS. 
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2.4  Task  4:  Naval  Network  Security  Requirements  Analysis 

Task  4  analyzed  the  DoD  Goal  Security  Architecture  (DGSA),  Multilevel 
Information  Systems  Security  Initiative  (MISSI),  and  Navy  Integrated  Command  and 
Control,  Communications  and  Computers,  and  Intelligence  (Integrated  C^l)  programs  in 
order  to  determine  security  implementation  requirements  for  Navy  networks  in  light  of 
emerging  technologies.  The  study  identified  10  major  security  implementation 
requirements.  They  are  to  provide  security  for  the  following: 

•  Open  systems  architecture 

•  Interconnectivity  and  distributed  processing 

•  Use  of  COTS  /  GOTS  hardware  and  software 

•  Processing  at  extremely  high  speeds 

•  Multilevel  security 

•  User  mobility 

•  Multimedia  communications 

•  Firewalls 

•  Selectable  security  services 

•  Multicast  routing. 

The  analysis  included  a  brief  review  of  the  current  environment,  characterized  by 
existing  and  proposed  network  security  products,  and  discussed  possible  deficiencies 
which  may  require  the  deveiopment  of  additional  security  products.  These  findings 
were  preliminary  and  merit  further  investigation. 

The  major  conclusions  of  the  Task  4  study  were  that  it  appeared  there  were  not 
adequate  security  products  to  meet  the  requirements  for: 

•  Secure  User  Mobility  -  As  networks  become  more  robust  and  users  become 
more  mobile,  users  will  demand  access  to  their  data  from  any  station  in  the 
network.  As  computers  become  more  portable,  they  will  at  times  require 
broadcast  media  for  connectivity  to  the  network  rather  than  cables.  Likewise, 
when  a  computer  is  carried  around  a  ship,  aircraft,  hospital,  or  other  workplace, 
the  connection  must  not  be  lost  or  interfered  with,  and  must  not  interfere  with 
other  signals  such  as  radar  and  navigation.  Technology  is  beginning  to  address 
the  need  for  mobility,  but  security  has  not  been  a  driving  force  in  the  development 
efforts 
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•  Secure  Multimedia  -  Some  trusted  workstations  are  able  to  apply  two  types  of 
sensitivity  labels  to  the  information  they  represent,  one  that  indicates  the 
classification  range  for  the  user  and  one  that  indicates  the  sensitivity  of  a 
particular  window.  The  label  for  the  information  will  be  at  the  same  or  lower 
sensitivity  level  as  the  user's  session  label.  Network  security  mechanisms  also 
indicate  a  workstations  range  of  permissible  classifications  and  the  classification 
level  for  a  particular  session,  but  no  single  protocol  has  been  designed  to  handle 
both.  Multimedia  communications  will  require  such  labeling.  There  are  other 
security  issues  that  pertain  to  multimedia.  In  particular,  as  multimedia 
applications  are  introduced  to  run  at  the  speeds  of  ATM,  the  minimum  acceptable 
transmission  speeds  will  rise  rapidly.  Security  mechanisms  must  be  developed 
to  support  these  speeds.  Some  SONET  and  ATM  encryptors  are  being 
developed,  but  encryptor  products  are  needed  at  higher  layers  as  well 

•  Secure  Firewalls  -  The  security  community  is  not  in  agreement  as  to  whether 
firewalls  are  beneficial  or  detrimental.  Some  argue  that  firewalls  provide  a  false 
sense  of  security.  Since,  by  definition,  some  protocols  must  be  permitted  to  pass 
traffic  through  the  firewall,  that  traffic  can  be  dangerous  and  difficult  to  protect. 
Others  argue  that  firewalls  can  filter  out  specific  types  of  communications  that  are 
known  to  be  high  risk.  Regardless,  firewalls  are  not  currently  very  effective. 
Since  it  is  not  presently  possible  to  install  adequate  security  in  every  user 
workstation  and  server,  and  since  interconnectivity  is  needed  for  operational 
purposes,  there  is  presently  an  urgent  need  for  secure  firewalls 

•  Secure  Multicast  Routing  -  In  order  to  minimize  network  congestion,  multicast 
techniques  are  being  developed  to  send  one  copy  of  a  message  across  parts  of 
the  network  and  then  have  routers  burst  the  message  into  multiple  copies  for 
delivery  to  all  intended  recipients.  This  capability  is  imperative  as  multimedia 
applications  become  more  common.  This  capability  is  also  imperative  as 
communication  bandwidths  to  and  from  mobile  platforms  (e.g.,  ships)  are  always 
less  than  desired.  As  multicast  protocols  are  developed,  security  issues  must  be 
addressed  to  ensure  that  routers  correctly  deliver  traffic  to  all  intended  users  and 
at  the  same  time  do  not  deliver  traffic  where  it  is  not  intended.  Other  security 
implications  concern  the  application  of  security  protocols  that  encrypt  the 
destination  address  in  a  protected  header.  Since  the  multicast  protocol  must  be 
able  to  modify  the  address  entries,  it  may  conflict  with  the  use  of  an  end-to-end 
security  protocol. 

Since  the  technologies  and  standards  that  support  mobile  users  and  multicast 
capabilities  are  not  stable.  Task  4  suggested  that  it  may  be  premature  to  attempt  to 
develop  security  products  for  these  areas.  (Note:  since  the  Task  4  report  was  published, 
much  progress  has  occurred  in  these  areas.)  However,  participation  in  the 
standardization  efforts  by  security  engineers  was  highly  recommended  in  the  Task  4 
report.  It  also  stated  that  security  products  should  be  developed  to  meet  near-term 
requirements  for  the  following: 
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•  Secure  Multimedia  -  Multimedia  applications  are  being  developed  and  will  soon 
be  in  wide  use  on  internetworks.  Existing  mechanisms  that  provide  security 
services  are  not  suitable  for  the  wide  bandwidth  of  multimedia,  or  for  providing 
unique  security  such  as  supporting  multiple  sensitivity  labels  for  video  and 
whiteboard  windows.  Whiteboard  windowing  is  a  service  that  generally 
piggybacks  on  video  teleconferencing  to  provide  a  second  window  that  displays 
the  speaker's  presentation  slides.  The  audience  can  then  simultaneously  view 
the  speaker  and  the  slides.  An  advantage  of  whiteboarding  is  that  it  uses  a 
narrow  bandwidth  to  provide  the  service 

•  Secure  Firewalls  -  Several  types  of  firewalls  are  urgently  needed.  Perhaps  the 
most  important  are  Network  Layer  firewalls  (routers).  However,  there  are  also 
requirements  for  Data  Link  Layer  firewalls  (bridges)  and  for  application  specific 
firewalls  (Application  Gateways)  that  can  be  installed  in-line  with  the  current 
generation  of  Network  Layer  firewalls. 

Further  studies  are  needed  to  assess  these  areas  that  appear  to  be  deficient. 
Additional  products  are  needed  to  meet  the  security  needs  in  these  two  areas.  When 
user  mobility  and  multicast  technologies  are  more  stable,  security  protocols,  products, 
and  interfaces  will  be  needed  in  those  areas. 

2.5  Task  5:  NetWare  4  Administrator’s  Security  Guidance  Handbook 

A  decade  ago,  centralized  multi-user  mainframe  computers  were  the  standard 
architecture  for  allowing  users  to  share  software  applications,  files,  printers,  and  other 
resources.  The  advantages  of  the  centralized  architecture  were  that  it  allowed  the 
sharing  of  data  and  expensive  resources  and  provided  for  central  control  and 
management  of  the  data.  The  disadvantages  were  that  it  was  not  flexible  in  meeting 
user  needs  and  did  not  encourage  creativity  in  the  use  of  data.  In  addition,  it  was  a 
single  point  of  failure. 

The  introduction  of  PCs  brought  flexibility  in  the  way  users  could  manipulate  their 
data,  and  also  encouraged  the  proliferation  of  distributed  sources  of  data.  This  often 
meant  no  central  control  of  the  information  and,  furthermore,  it  meant  conflicting  sources 
of  information.  In  addition,  it  meant  higher  equipment  costs  because  each  user  wanted 
a  printer  attached  to  their  PC  so  they  would  not  have  to  carry  a  diskette  to  another  PC  in 
order  to  print  a  file.  Very  quickly,  the  LAN  became  popular  as  a  tool  to  enable 
information,  software,  and  printer  sharing  similar  to  what  users  experienced  with  the 
centralized  architecture.  The  LAN  combined  the  flexibility  of  desktop  PCs  with  the 
sharing  capabilities  of  the  centralized  processor. 

Dedicated  servers  soon  emerged  because  some  server  functions,  such  as 
database  management,  required  more  power  than  a  non-dedicated  PC  could  provide. 
As  depicted  in  Figure  2-3,  many  functions  have  been  migrated  to  dedicated  servers. 
For  example,  dedicated  servers  are  used  to  support  not  only  application  files. 
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databases,  and  print  spooling,  but  also  central  LAN  management  and  security,  fax 
machines,  graphic  scanning,  mailboxes,  dial-up  modems,  and  directory  services.  Even 
dumb  terminals  can  still  access  a  centralized  host  connected  to  the  LAN  through  the 
use  of  terminal  servers.  Client-server  strategies  create  relatively  inexpensive  computing 
platforms  that  are  easy  to  customize  for  specific  applications  and  provide  magnitudes 
more  processing  power  than  the  centralized  systems  they  replace.  In  addition,  they  are 
scalable  to  meet  current  and  future  Naval  needs. 

With  the  centralized  host  model,  management  and  security  were  relatively 
straightforward.  Today,  placing  files  and  databases  on  dedicated  servers  has  several  of 
the  advantages  that  were  present  in  centralized  systems:  the  centralization  of  data 
management  facilitates  the  supervision  and  control  of  information;  the  servers  are 
easier  to  secure  and  maintain  because  they  are  in  one  location  managed  by  one 
authority:  and  backups  are  simplified  for  the  same  reasons.  In  fact,  with  fult  tolerance 
and  redundancy  features,  LANs  can  often  provide  a  higher  level  of  service  assurance 
than  can  a  mainframe.  Fault  tolerance  and  recovery  capabilities  are  designed  into 
many  networks  in  order  to  minimize  the  risk  of  the  network  being  unavailable  and  to 
maximize  the  speed  of  recovery  when  it  is  unavailable. 
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Approximately  60  percent  of  the  network  operating  systems  (NOSs)  in  operation 
today  are  Novell  NetWare.  Other  major  NOSs  include  AppleShare,  Banyan's  Vines, 
Artisoft's  LANtastic,  and  Microsoft's  recently  introduced  Windows  NT.  Novell  NetWare 
was  the  first  true  file-server  system  available  for  PC  LANs.  NetWare  runs  on  most  PCs 
in  either  a  DOS  or  Windows  environment  and  supports  DOS,  OS/2,  and  Macintosh 
workstations.  A  NetWare  file  server  makes  it  possible  for  programs  running  on  user 
workstations  to  locate  and  retrieve  files  from  the  server  just  as  though  the  files  were 
being  retrieved  from  the  workstation's  local  hard  disk.  To  the  application  program,  the 
files  look  and  act  just  as  they  would  if  they  were  stored  locally.  Applications  can  also  be 
located  on  NetWare  servers  for  transparent  access  from  workstations. 

NetWare  3  is  currently  the  most  widely  installed  version  of  NetWare.  The 
management  database  for  NetWare  3,  called  the  Bindery,  is  specific  to  one  server;  that 
is,  this  version  is  designed  to  operate  on  single  dedicated  servers.  Each  NetWare  3 
server  is  managed  individually  because  there  is  no  management  communication 
between  servers.  Thus,  the  NetWare  Administrator  has  to  establish  access  rules  in  the 
Bindery  of  each  NetWare  3  server.  Two  objects  (e.g.,  users,  printers)  cannot  be 
assigned  the  same  name  because  they  would  not  be  distinguishable. 

Novell's  most  current  version  of  NetWare  is  NetWare  4.  With  version  4, 
administrators  view  the  network  as  a  single  entity  —  an  Enterprise  Network  —  rather  than 
as  a  collection  of  individual  servers,  each  needing  individual  management  and  control. 
With  NetWare  4,  references  to  objects  include  both  the  name  and  location.  Thus,  two 
users  (or  other  objects)  having  the  same  name  can  exist  on  the  network,  or  even  on  the 
same  server.  User  accounts  are  set  up  once  and  are  given  appropriate  access  rights  to 
any  server  on  the  network  for  which  they  are  authorized.  The  NetWare  4  Administrator 
establishes  access  rules  with  one  database  for  the  entire  network.  This  database  is 
called  NetWare  Directory  Services  (NDS).  Servers  can  be  added  or  removed  with 
minimal  effort  and  access  rules  can  be  applied  uniformly  across  the  network. 

Government  and  commercial  organizations  face  a  common  problem  of 
having  trained  personnel  rotate  on  to  new  assignments,  leaving  inadequately  trained 
replacements  to  administer  the  networks.  In  addition,  many  organizations  that  have 
NetWare  3  installed  are  in  the  process  of,  or  are  contemplating,  migration  to  NetWare  4, 
but  their  administrators  have  not  been  trained  to  manage  NetWare  4.X  networks. 
NetWare  4  includes  new  features  that  experienced  NetWare  3  Administrators  may  not 
be  aware  of. 

Because  NDS  is  complex,  the  administrator  must  take  certain  precautions  in 
order  to  avoid  unknowingly  creating  vulnerabilities  in  the  security  structure.  In  addition, 
there  are  many  third-party  products  that  can  be  installed  to  further  enhance  security  in 
sensitive  environments.  Security  issues  concerning  sensitive  environments,  NetWare  4 
features,  and  supporting  third-party  products  must  be  understood  by  first-time 
administrators  as  well  as  trained  NetWare  3  administrators  in  order  to  make  intelligent 
decisions. 


Secure 

Solutions, 

Inc. 


2-15 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


September  5,  1995 


The  purpose  of  Task  5  was  to  develop  a  NetWare  4  Administrator's  Security 
Guidance  Handbook.  The  handbook  was  intended  for  the  inexperienced  administrator 
who  may  not  have  a  technical  background  with  NetWare.  The  objective  of  the 
handbook  was  to  provide  consolidated,  concise,  and  easy  to  read  security  guidance  on 
Novell  NetWare  4  so  that  the  administrator  will  be  able  to  take  the  correct  steps  to 
counter  any  threats  that  may  arise.  All  major  security  issues  and  topics  were  raised  at  a 
very  high  level  to  acquaint  the  new  administrator  with  the  issues.  Pointers  to  detailed 
references  were  included  for  the  reader  who  wishes  to  investigate  specialized  topics  of 
interest  to  a  deeper  level. 

NetWare  4  security  involves  controlling  user  logins,  controlling  access  rights  to 
the  NDS  Directory  tree,  and  controlling  access  rights  to  the  file  system,  including  setting 
file  attributes.  The  first  of  the  two  major  layers  of  security  is  implemented  in  NDS;  the 
other  in  the  file  system.  NDS  is  a  special-purpose  database  which  administers  the 
security  of  resources,  services,  and  user  accounts,  in  other  words,  it  is  a  logical  map 
that  allows  users  to  locate  and  access  resources  (i.e.,  objects)  anywhere  in  the  network. 
NetWare  Administrators  are  responsible  for  maintaining  this  logical  map.  The  file 
system  consists  of  volumes  contained  on  the  servers.  Each  volume  has  its  own 
directory  structure  (not  to  be  confused  with  the  NDS  Directory  tree).  NDS  and  the  file 
system,  shown  in  Figure  2-4,  are  separate,  though  closely  related.  In  addition,  login 
controls  are  implemented  when  user  accounts  are  activated.  Of  course,  physical 
protection  of  servers  and  their  consoles  is  always  necessary,  as  is  security  of  the 
printing  services. 
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Security  issues  that  are  not  solved  by  the  implementation  of  NetWare  4  security 
features  were  discussed  in  the  handbook.  Third-party  products  that  are  available  to 
help  resolve  some  of  those  problems  were  identified.  Other  areas  of  interest  include 
access  controls  for  the  workstation,  enhanced  authentication  that  incorporates  one-time 
passwords,  data  encryption,  network  analysis  and  management,  audit  reduction,  firewall 
security,  and  virus  protection.  Vendors  have  developed  hardware  and  software 
products  for  each  of  these  security  areas.  While  most  of  the  products  discussed  in  the 
handbook  operate  independently  of  NetWare,  they  all  function  well  in  a  NetWare 
environment.  Some  are  designed  as  Virtual  Loadable  Modules  (VLMs),  which  are 
executable  files  installed  on  the  workstation,  that  load  the  DOS  Requester  software. 
The  DOS  Requester  determines  whether  service  requests  should  be  directed  to  DOS 
on  the  local  workstation  or  to  NetWare  on  the  sen/er.  A  few  are  designed  as  NetWare 
Loadable  Modules  (NLMs)  which  are  installed  on  servers  to  expand  the  functionality  of 
the  NetWare  operating  system.  These  are  tightly  coupled  with  the  operating  system 
and  have  instant  access  to  other  operating  system  services. 

Naval  LANs  provide  interconnectivity  throughout  a  department  or  entire 
organization.  This  interconnectivity  includes  electronic  mail  and  file  transfers.  Some 
organizations  also  extend  the  interconnectivity  to  other  organizations.  The  Internet  is  an 
interconnected  worldwide  collection  of  networks  that  any  organization  may  connect  to  if 
they  choose.  Navy  organizations  have  recognized  that  it  is  to  their  advantage  to  allow 
their  staff  to  connect  to  the  Internet  in  order  to  extend  the  electronic  mail  and  file 
transfers  beyond  their  local  organization.  The  NetWare  administrator  must  be  aware  of 
the  trend  toward  interconnectivity  and  take  steps  to  support  this  need,  while  at  the  same 
time  taking  steps  to  protect  the  organization  from  outside  tampering. 

The  NetWare  4  Administrator's  Security  Guidance  Handbook  described  basic 
firewall  architectures  and  discusses  issues  concerning  external  interfaces  since  many 
organizations  are  faced  with  the  decision  of  whether  to  connect  to  external  networks  or 
remain  isolated  in  the  interest  of  better  security.  As  discussed  in  NIST  Special 
Publication  800-10  [NIST  94D],  a  firewall  is  needed  to  help  protect  the  organization's 
LAN  from  unauthorized  outside  access.  Another  name  for  a  firewall  is  secure  Internet 
gateway.  A  firewall  can  be  used  to  connect  the  organization's  internal  network  to  an 
external  network  and  provide  traffic  routing  services  between  the  external  and  internal 
networks.  It  may  also  store  information  that  the  organization  wishes  to  make  public  to 
the  outside  world  (e.g.,  Web  home  pages  and  archives  available  for  Anonymous  FTP 
access).  The  traffic  routing  services  may  be  implemented  at  the  Network  Layer  by 
incorporating  filtering  rules  in  a  router,  or  may  be  implemented  at  the  Application  Layer 
by  using  an  Application  Gateway.  Each  has  advantages  and  disadvantages.  Often  the 
firewall  will  incorporate  both  approaches. 

The  NetWare  4  Administrator's  Security  Guidance  Handbook  attempted  to 
surface  security  concerns  that  remain  in  spite  of  the  installation  of  NetWare  features  and 
third-party  products  so  that  the  security  administrator  could  at  least  be  aware  of  the 
concerns  and  be  alert  to  changes  that  may  elevate  the  importance  of  these  issues. 
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The  conclusions  and  recommendations  of  the  NetWare  4  Administrator's  Security 
Guidance  Handbook  were  as  follows: 

•  Security  Posture  -  It  is  important  that  the  security  staff  understand  the  threats 
and  vulnerabilities  of  the  system  in  order  to  reduce  security  risks  to  an  acceptable 
level.  This  is  accomplished  through  performance  of  a  risk  assessment.  An 
important  part  of  the  risk  assessment  is  the  quantification  of  the  sensitivity  and 
criticality  of  the  information  to  be  protected.  Decisions  concerning  the 
appropriate  level  of  security  to  be  implemented  can  only  be  made  after 
determining  the  sensitivity  and  criticality  of  the  data. 

•  NetWare  Administrator  Training  -  An  overview  of  the  NetWare  NDS  and  File 
System  structures  was  presented.  While  this  will  acquaint  the  administrator  with 
the  concepts,  in-depth  training  on  NetWare  administration  is  required.  This  can 
be  acquired  from  authorized  Novell  trainers,  or  when  that  is  not  possible,  video 
training  is  available  from  several  sources.  Administrators  should  continue  to 
attend  NetWare  training  courses  to  broaden  their  exposure  to  aspects  beyond 
basic  administration.  Personnel  who  will  perform  NetWare  Auditor  roles  should 
also  attend  training  courses.  Participation  in  user  groups  is  recommended  to 
provide  contacts  among  peers  for  the  exchange  of  ideas  and  recommendations. 

•  Implementation  of  NetWare  Security  Features  -  The  security  administrator  is 
responsible  for  enforcing  the  organization's  security  policy.  Guidance  concerning 
the  implementation  of  NetWare  security  features  was  presented.  Administrators 
should  carefully  review  these  recommendations  and  consider  whether  they  are 
appropriate  for  their  organization.  They  should  also  understand  the  concepts  so 
that  they  can  modify  their  implementations  as  necessary.  Once  the  mechanisms 
have  been  activated,  they  should  be  tested  and  periodically  retested.  Even 
experienced  administrators  make  errors.  Tools  are  available  to  assist  in  the 
analysis.  They  can  identify  vulnerabilities  that  would  not  have  been  found  had 
the  tools  not  been  used.  Protocol  analyzers  and  network  management  products 
should  be  mandatory  elements  of  the  administrator's  toolkit. 

•  Implementation  of  Secure  External  Interfaces  -  Organizations  that  are 
considering  installing  modems  for  dial-up  access  or  gateways  to  external 
networks  face  increased  risks  from  many  sources.  These  risks  can  be  managed 
with  the  right  tools.  The  handbook  discussed  some  of  the  concerns  and 
presented  an  overview  of  firewall  technology.  The  criticality  and  sensitivity  of  the 
information  must  be  well  understood  before  a  decision  to  permit  dial-up  access  or 
connectivity  to  external  networks  can  be  made.  Firewall  technology  has 
improved  dramatically  in  the  past  year,  yet  there  are  those  who  still  feel  any 
firewall  can  be  penetrated  and  a  firewall  only  provides  a  false  sense  of  security. 

•  Use  of  Third-party  Products  -  NetWare  was  not  designed  to  provide  a  high 
level  of  security.  Accordingly,  the  security  features  of  NetWare  are  limited. 
Third-party  products  are  available  to  the  administrator  that  has  a  need  for  them. 
The  handbook  discussed  products  that  enhance  workstation  access  controls. 
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provide  stronger  authentication  than  what  is  delivered  with  NetWare,  provide  data 
encryption  for  privacy,  augment  the  administrator's  analysis  and  management 
toolkit,  implement  firewalls  of  varying  strengths,  and  provide  virus  protection. 
Many  of  these  products  are  relatively  inexpensive  and  are  strongly 
recommended.  Others  are  more  costly,  yet  provide  such  strong  degrees  of 
security  that  they  should  be  considered  when  the  criticality  or  sensitivity  of  the 
data  dictates. 

•  Employee  Security  Awareness  Training  -  Any  security  program  is  doomed  to 
fail  if  the  user  community  is  not  educated,  trained,  and  convinced  of  it's 
importance.  Employee  security  awareness  training  that  clearly  describes  the 
threat,  purpose  for  the  security  policy,  security  policy,  and  user  responsibilities  is 
necessary  in  every  organization. 


2.6  Task  7i  Participation  in  Security  Groups 

National  and  international  working  groups  are  developing  security  standards  to 
promote  interoperability  and  network  security.  The  following  working  groups  were 
selected  for  attendance  in  order  to  observe  the  progress  of  relevant  standards  and 
develop  recommendations  for  selecting  security  services  in  Navy  systems: 


•  Task  Group  X3T5.7  -  Standards  Committee  for  Open  Systems  Security 
(Accredited  by  American  National  Standards  Institute)  -  meetings  attended: 
August  1 993 

•  Open  Systems  Environment  (OSE)  Implementors'  Workshop  (OIW)  -  National 
Institute  of  Standards  and  Technology  (NIST)  -  meetings  attended:  September 
1993 

•  IEEE  802.10  Working  Group  -  Standard  for  Interoperable  LAN  and  MAN  Security 
(SILS)  -  meetings  attended:  November  1993,  March  1994,  and  July  1994 

•  Internet  Engineering  Task  Force  (IETF)  Security  Area  Working  Groups  - 
meetings  attended:  March  1994  and  December  1994 

In  addition,  meetings  were  attended  at  the  National  Security  Agency  to  discuss 
the  DGSA  program,  the  Naval  Research  Laboratory  to  discuss  Internet  and  Navy 
security  programs,  the  Naval  Computer  and  Telecommunications  Station  to  discuss  the 
Defense  Message  System,  the  Naval  Air  Force  U.S.  Pacific  Fleet  headquarters  to  tour 
the  aircraft  carrier  USS  Constellation,  and  the  Naval  Surface  Force  U.S.  Pacific  Fleet 
headquarters  to  tour  the  amphibious  assault  ship  USS  Essex.  Participation  in  these 
meetings  produced  the  following  findings: 
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•  Task  Group  X3T5.7  -  The  Standards  Committee  for  Open  Systems  Security 
was  responsible  for  the  development  of  three  important  international  standards: 

-  Security  Frameworks  for  Open  Systems  (ISO/IEC  10181)  -  Security 
frameworks  developed  jointly  as  International  Telecommunications  Union 
(ITU-T)  Recommendations  and  as  a  multipart  International  Standard,  define 
the  means  of  providing  protection  for  systems,  objects  within  systems,  and 
interactions  between  systems.  This  includes  databases,  distributed 
applications,  open  distributed  processing,  and  open  systems  interconnection. 
Frameworks  define  basic  security  concepts,  possible  classes  of  mechanisms, 
services  for  those  classes  of  mechanisms,  functional  requirements  of 
protocols,  and  general  management  requirements. 


Security  frameworks  are  not  concerned  with  specific  implementations  or 
methodologies  for  mechanisms.  Other  standards  can  use  frameworks  by 
incorporating  concepts  and  providing  specific  security  services  and 
mechanisms.  ISO/IEC  10181  consists  of  the  following  parts: 


-  Part  1 : 

-  Part  2: 

-  Part  3: 

-  Part  4: 

-  Part  5: 

-  Part  6: 

-  Part  7: 

-  Part  8: 


Security  Frameworks  Overview 
Authentication  Framework 
Access  Control  Framework 
Confidentiality  Framework 
Integrity  Framework 
Non-Repudiation  Framework 
Security  Audit  Framework 
Guide  to  Open  Systems  Security. 


-  OSI  Upper  Lavers  Security  Model  (ISO/IEC  107451  -  The  Upper  Layers 
Security  Model,  to  be  jointly  assigned  as  ITU-T  Recommendation  X.803,  is 
concerned  with  development  of  application-independent  services  and 
protocols  in  order  to  minimize  the  need  for  application-specific  application 
service  elements  (ASEs)  to  contain  internal  security  services.  It  specifies: 


-  Security  aspects  of  communication  in  the  upper  layers 

-  Upper  layers  support  of  security  services,  as  defined  in  the  frameworks 

-  Positioning  and  relationships  of  security  services  and  mechanisms  in  the 
upper  layers,  in  accordance  with  ISO  7498-2  and  ISO  9545 

-  Interactions  among  upper  layers,  and  between  upper  layers  and  lower 
layers,  in  providing  and  using  security  services 

-  Upper  layer  requirements  for  security  information  management. 


Secure 

Solutions, 

Inc. 


2-20 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


Septembers,  1995 


The  model  does  not  specify: 

-  Security  service  definitions 

-  Security  protocol  specifications 

-  Security  mechanisms,  their  requirements,  or  their  protocol  requirements 

-  Provisions  for  security  which  are  not  concerned  with  OSI  communications. 


The  Upper  Layers  Security  Model  provides  the  structure  for  services  to  be 
defined  for  the  session,  presentation,  and  application  layers.  The  Model 
specifically  discusses  the  following  security  services: 


-  Connection  Confidentiality 

-  Connectionless  Confidentiality 

-  Selective  Field  Confidentiality 

-  Connection  Integrity  With  Recovery 

-  Connection  Integrity  Without  Recovery 

-  Connectionless  Integrity 

-  Selective  Field  Integrity 


Entity  Authentication 
Data  Origin  Authentication 
Access  Control 
Security  Labeling 
Non-Repudiation,  Origin 
Non-Repudiation,  Delivery 
Key  Management. 


-  Generic  Upper  Laver  Security  fGULS)  Standard  (ISO/lEC  11586)  -  GULS 
specializes  some  of  the  application  layer  concepts  of  the  Upper  Layers 
Security  Model  to  permit  the  exchange  of  security-related  information 
between  application  processes  in  a  distributed  environment.  GULS  defines 
generic  facilities  to  support  construction  of  Upper  Layer  security  protocols. 
These  generic  security  facilities  do  not  in  themselves  provide  security 
services,  but  are  construction  tools  for  protocols  which  will  provide  security 
services  for  the  upper  layers.  GULS  facilities  include: 


-  A  set  of  notational  tools  to  support  the  abstract  syntax  specification  of 
selective  field  protection  requirements,  and  to  support  the  specification  of 
security  exchanges  and  security  transformations 

-  A  service  definition,  protocol  specification,  and  PICS  proforma  for  an 
application  service  element  to  support  security  services  provided  in  the 
Application  Layer 

-  A  specification  and  Protocol  Implementation  Conformance  Statement 
(PICS)  proforma  for  security  transfer  syntax,  associated  with  Presentation 
Layer  support  for  security  services  in  the  Application  Layer. 

GULS  consists  of  six  parts,  including  what  was  previously  the  Security 
Exchange  Application  Service  Element  (SE-ASE)  being  developed  by  ISO.  A 
service  element  (SE)  is  a  primitive  defined  at  the  interface  between  two 
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adjacent  layers.  An  application  service  element  (ASE)  is  a  set  of  functions 
that  support  application  programs.  An  ASE  represents  a  type  of  work  that  the 
user  expects  to  be  performed,  such  as  security  exchanges,  along  with  the 
elements  needed  to  perform  that  work.  The  GULS  parts  are: 


Overview,  Models,  and  Notation 

Security  Exchange  Service  Element  (SESE)  Service  Definition 

SESE  Protocol  Specification 

Protecting  Transfer  Syntax  Specification 

SESE  PICS  Proforma 

Protecting  Transfer  Syntax  PICS  Proforma. 


-  Part  1 

-  Part  2 

-  Parts 

-  Part  4 

-  Parts 

-  Parts 

GULS  facilities  will  support  protocols 
services  required  by  applications: 

-  Entity  Authentication 

-  Data  Origin  Authentication 

-  Traffic  Flow  Confidentiality 

-  Connection  Confidentiality 

-  Connectionless  Confidentiality 

-  Selective  Field  Confidentiality 

-  Non-Repudiation 


which  provide  the  following  security 

-  Discretionary  Access  Control 

-  Mandatory  Access  Control 

-  Labeling 

-  Connection  Integrity 

-  Connectionless  Integrity 

-  Selective  Field  Integrity 

-  Key  Management. 


•  OSE  Implementors'  Workshop  -  The  OIW  Security  special  interest  group  (SIG) 
were  attended  to  acquire  the  current  status  of  the  NIST  OSI  standardization 
efforts.  The  objectives  of  the  Security  SIG  are  to  define  security  architectures 
and  implementation  profiles  including: 

-  OSI  security  protocols 

-  Cryptographic  algorithms 

-  Key  management  systems. 

A  specific  interest  of  the  OIW  is  to  extend  the  services  described  in  the  OSI 
Security  Architecture  (ISO  7498-2)  to  all  Integrated  Services  Digital  Network 
(ISDN)  applications,  including  voice  use  of  the  public  network.  The  security 
services  to  be  provided  for  ISDN  are  access  control,  authentication, 
confidentiality,  integrity,  non-repudiation,  service  assurance,  and  notarization. 
The  primary  service  assurance  issues  are  capacity,  redundancy,  and  recovery. 
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•  IEEE  802.10  SILS  Working  Group  -  The  Standard  for  Interoperable  LAN  and 
MAN  Security  (SILS)  [IEEE  93A]  is  being  developed  by  the  IEEE  802.10  Working 
Group.  Packet  switched  networks  (PSNs)  and  wide  area  networks  (WANs)  were 
the  architectural  models  used  to  develop  the  OSI  Reference  Model  (ISO  7498)  in 
1984.  The  broadcast  nature  of  LANs  introduces  vulnerabilities  associated  with 
subnetworks  and  routing  that  are  not  present  in  the  Data  Link  Layer  of  PSNs  and 
WANs  because  of  their  point-to-point  nature.  SILS  will  expand  security  services 
to  protect  LANs.  SILS  consists  of  four  parts  and  a  PICS  Proforma: 

-  802.10  Clause  1  -  SILS  Model 

-  802.1 0  Clause  2  -  Secure  Data  Exchange  (SDE)  Protocol 

-  802.1 0  Clause  3  -  Key  Management  Protocol 

-  802.1 0  Clause  4  -  Security  Management. 

Clause  1  provides  an  overview  for  security  of  local  area  networks  and 
metropolitan  area  networks,  defines  terms,  and  provides  an  architecture  which 
describes  the  relationship  of  each  of  the  security  protocols  to  ISC  7498-2. 

Clause  2  defines  the  SDE  Protocol  to  be  implemented  at  the  Data  Link  Layer. 
SDE  augments  standard  LLC  and  MAC  communications  protocols  without 
replacing  those  protocols.  An  SDE  frame  encapsulates  the  LLC  frame  and  has 
optional  fields  to  satisfy  a  broad  range  of  security  applications.  SDE  requires  no 
change  to  the  existing  upper-layer  protocols  in  the  stack.  SDE  will  operate  in 
LANs  and  MANs  where  not  all  stations  use  SDE. 

SDE  provides  data  confidentiality  through  encipherment.  Connectionless 
integrity  is  provided  through  the  use  of  an  integrity  check  value  (I CV).  Data  origin 
authentication  is  achieved  through  the  use  of  the  integrity  service,  or  through  the 
use  of  key  management  and  the  placement  of  a  Station  ID  in  the  SDE  protected 
header.  Access  control  is  provided  by  key  management  or  system  management. 

Clause  3  establishes  a  structure  for  key  management  to  provide  keying  material 
and  association  attributes  needed  by  security  protocols  at  all  layers.  The  GULS 
Standard  services  will  be  used  to  support  SILS  key  management.  Clause  3 
allows  asymmetric  key  management  (via  X.509  certificates),  symmetric  key 
management  (ANSI  X9.17),  and  manual  keying,  and  addresses  multicast  keying. 

Clause  4  describes  management  functions  and  protocols  that  support  the 
security  services  provided  in  other  clauses. 

SILS  provides  the  following  security  sen/ices: 

-  Access  Control 

-  Data  Origin  Authentication 

-  Labeling 


-  Data  Confidentiality 

-  Connectionless  Integrity 

-  Key  Management. 


Secure 

Solutions, 

Inc. 


2-23 


Contract  No.  N00039-93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


September  5,  1995 


•  Internet  Engineering  Task  Force  (IETF)  -  The  IETF  began  as  a  forum  for 
technical  coordination  by  contractors  for  the  Defense  Advanced  Research 
Projects  Agency  (DARPA),  working  on  the  ARPANET,  Defense  Data  Network 
(DDN),  and  the  Internet  core  gateway  system.  The  first  IETF  meeting  was  held 
in  1986  with  15  attendees.  Since  that  time,  the  Internet  has  grown  to  more  than 
six  million  host  computers  and  60  million  users,  and  is  currently  doubling  in  size 
every  six  months.  Attendance  at  the  IETF  is  proportional,  with  just  under  1,000 
attendees  at  the  last  meeting.  There  are  four  groups  in  the  IETF  structure: 

-  Internet  Society  (ISOC1  and  Board  of  Trustees  -  responsible  for  Internet 
growth,  evolution,  standardization,  and  usage  (social,  political,  and  technical) 

-  Internet  Architecture  Board  (lABI  -  the  ISOC  technical  advisory  group; 
oversees  two  Task  Forces:  IETF,  which  considers  near-term  problems,  and 
Internet  Research  Task  Force  (IRTF),  which  considers  long-term  problems 

-  Internet  Engineering  Steering  Group  (lESGI  -  consists  of  the  directors  of 
each  of  the  IETF  functional  areas  and  the  IETF  Chair.  Responsible  for 
technical  management  of  IETF  activities  and  the  Internet  Standards  process 

-  IETF  itself  -  proposes  solutions  to  technical  Internet  problems,  specifies 
protocols  and  near-term  architectures,  recommends  their  standardization  to 
the  lESG,  and  provides  a  forum  for  information  exchange.  The  IETF  is 
divided  into  ten  Functional  Areas,  one  of  which  is  the  Security  Area.  The 
number  of  Working  Groups  within  the  Security  Area  increases  at  almost  every 
IETF  meeting.  Currently,  there  are  10  Security  Area  Work  Groups,  with  the 
likelihood  that  one  more  will  be  added  in  July.  They  are: 

-  Security  Area  Advisory  Group  (saag) 

-  Internet  Protocol  Security  Protocol  (ipsec) 

-  Common  Authentication  Technology  (cat) 

-  Domain  Name  System  Security  (dnssec) 

-  Privacy  Enhanced  Mail  (pern) 

-  Authorization  and  Access  Control  (aac) 

-  Commercial  IP  Security  Option  (cipso) 

-  Independent  Object/Document  Security  (ios) 

-  Authenticated  Firewall  Traversal  (aft) 

-  Web  T  ransport  Security 

-  S/Key  One-Time  Password. 
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3.0  Proposed  Direction  for  Future  Work  Efforts 


Networking  technology  has  evolved  significantly  over  the  past  few  years  and  the 
mission  of  the  SPAWAR  INFOSEC  Office  (PD71)  has  evolved  to  keep  pace  with  it. 
PD71  is  charged  with  the  responsibility  of  being  the  single  point  of  contact  for  Navy, 
Marine  Corps,  and  Coast  Guard  for  the  planning,  development,  acquisition,  fielding,  and 
life-cycle  support  of  standard  INFOSEC  products.  Network  operating  systems  provide  a 
wide  range  of  client-server  security  features,  yet  they  do  not  meet  all  of  the  Navy's 
security  needs  nor  those  of  commercial  organizations  processing  highly  sensitive  data. 

An  area  that  stands  out  as  a  problem  for  some  commercial  and  Navy 
organizations  is  the  protection  of  Sensitive  Unclassified  information  on  LANs.  Another 
problem  commercial  and  Government  organizations  face  is  that  they  are  assigning 
inexperienced  personnel  to  set  up,  provide  security  for,  and  manage  their  networks.  In 
addition,  many  personnel  who  are  adequately  trained  rotate  on  to  new  assignments, 
leaving  inadequately  trained  replacements  to  administer  the  networks. 

Phase  II  began  the  effort  of  providing  security  management  guidance  to  NetWare 
administrators.  This  supports  the  SPAWAR  Chief  Engineer's  missions  of 
recommending  security  designs  and  implementation  alternatives  and  providing  security 
documentation  reviews  and  support.  It  also  supports  the  SP AWAR  Customer  Seryice 
Division  missions  to  provide  system  security  support,  translate  INFOSEC  threats  into 
security  enhancements,  and  develop  INFOSEC  training  programs. 

It  has  been  proposed  that  the  SBIR  Phase  III  effort  focus  on  the  Sensitive 
Unclassified  environment  in  support  of  these  PD71  missions. 
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Figure  3-1.  SBIR  Phase  III  Objectives 


The  Phase  III  proposal  calls  for  Secure  Solutions  to  develop  a  comprehensive  set 
of  network  security  administration  tools  for  recently  assigned  Novell  NetWare 
administrators  in  commercial  and  Government  organizations.  It  has  also  been  proposed 
that  Phase  III  tasking  be  broadened  to  include  support  of  Windows  NT  environments 
since  the  recently  introduced  Windows  NT  is  rapidly  becoming  widely  implemented  as 
well. 


The  products  would  provide  guidance  materials  and  security  administration  tools 
to  help  the  inexperienced  administrators  who  understand  the  mechanics  of  activating 
NetWare  and  Windows  NT  user  accounts  and  establishing  rights  and  privileges,  but 
who  lack  security  training  for  sensitive  environments  and  need  support  tools  and 
guidance  concerning  which  security  features  to  implement  and  which  third-party 
products  to  install  on  the  network.  The  tools  would  also  support  administrators  with 
more  security  experience  but  who  lack  some  specific  knowledge  such  as  knowledge  of 
firewalls.  In  addition,  the  Phase  III  products  can  be  used  to  brief  management  on 
security,  resource,  and  funding  needs. 
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Figure  3-2.  SBIR  Phase  III  Task  Relationships 


The  following  tasks  are  proposed  for  Phase  III: 

•  Conduct  INFOSEC  research  -  Conduct  INFOSEC  technology  research  to 
determine  requirements  for  Sensitive  Unclassified  information  network 
environments 

•  Produce  Security  Administrator  Tooikits  -  Serve  as  a  system 
integrator/broker  for  the  Navy  in  the  design,  development,  and  testing  of  security 
administrator  toolkits  consisting  of  security  and  test  tools,  information  resources, 
and  a  HyperText  graphical  user  interface  on  CD-ROM 

•  Produce  Windows  NT  Security  Guidance  Handbook  -  Develop  a  Windows 
NT  Administrator's  Security  Guidance  Handbook  which  recommends  options  for 
securing  Windows  NT  LANs  in  commercial  and  Government  Sensitive 
Unclassified  environments.  The  handbook  will  be  modeled  after  the  NetWare 
Administrator's  Security  Guidance  Handbook  developed  during  Phase  II 

•  Develop  Security  Training  Materials  -  Develop  training  materials  (e.g.,  user 
and  administrator  training  requirements,  course  curriculum,  instructor's  guide, 
classroom  training  aids,  student's  guide,  tutorials  on  CD-ROM,  testing  materials, 
and  course  evaluation  forms)  for  commercial  and  Navy  organizations  to  convey 
security  information  to  NetWare  and  Windows  NT  users  and  administrators. 
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ALLPOWER 

ANSI 

API 

ARPANET 

ASE 

ATM 

B-ISDN 

C4I 

CD-ROM 

CLNP 

CMIP 

COTS 

CSMA/CD 

DARPA 

DCE 

DGSA 

DISSP 

DoD 

DQDB 

DTE 

E3 

FDDI 

FIPS 

FTAM 

FTP 

GLOBIXS 

GOSIP 

GOTS 

GULS 

lAB 

IC2 

ICV 

lEC 

IEEE 

lESG 

IETF 

INFOSEC 

IP 

IRTF 

ISDN 

ISO 
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All  Purpose  Workstation  Security  Peripheral 

American  National  Standards  Institute 

Application  Programming  Interface 

Advanced  Research  Project  Agency  Network 

Application  Service  Element 

Asynchronous  Transfer  Mode 

Broadband  Integrated  Services  Digital  Network 

Command  &  Control,  Communications  &  Computers,  and  Intelligence 

Compact  Disk  -  Read  Only  Memory 

Connectionless  Network  Protocol 

Common  Management  Information  Protocol 

Commercial  Off-The-Shelf 

Carrier  Sense  Multiple  Access  with  Collision  Detection 

Defense  Advanced  Research  Projects  Agency 

Data  Circuit-terminating  Equipment 

DoD  Goal  Security  Architecture 

DoD  Information  Systems  Security  Policy 

Department  of  Defense 

Distributed  Queue  Dual  Bus 

Data  Terminal  Equipment 

End-to-End  Encryption 

Fiber  Distributed  Data  Interface 

Federal  Information  Processing  Standard 

File,  Transfer,  Access  and  Management  Protocol 

File  Transfer  Protocol 

Global  Information  Exchange  System 

Government  OSI  Profile 

Government  Off-The-Shelf 

Generic  Upper  Layer  Security 

Internet  Architecture  Board 

Integrated  Interior  Communications  System 

Integrity  Check  Value 

International  Electrotechnical  Commission 

Institute  of  Electrical  and  Electronics  Engineers,  Inc. 

Internet  Engineering  Steering  Group 
Internet  Engineering  Task  Force 
Information  Security 
Internet  Protocol 
Internet  Research  Task  Force 
Integrated  Services  Digital  Network 
International  Standards  Organization 


A-1 


Contract  No.  N00039’93-C-0099 


Final  Report:  Results  of  the  SBIR  Phase  II  Effort 


Septembers,  1995 


Appendix  A  -  Acronyms  (continued) 


ISOC 

Internet  Society 

KMP 

Key  Management  Protocol 

LAN 

Local  Area  Network 

LAPB 

Link  Access  Procedures  -  B 

LLC 

Logical  Link  Control 

LOCK™ 

Logical  Coprocessing  Kernel 

MAC 

Mandatory  Access  Control 

MAC 

Media  Access  Control 

MAC 

Message  Authentication  Code 

MAN 

Metropolitan  Area  Network 

MISS! 

Multilevel  Information  Systems  Security  Initiative 

MLS 

Multilevel  Security 

MSP 

Message  Security  Protocol 

NCCOSC 

Naval  Command,  Control,  and  Ocean  Surveillance  Center 

NDS 

NetWare  Directory  Services 

NIST 

National  Institute  of  Standards  and  Technology 

NLSP 

Network  Layer  Security  Protocol 

NOS 

Network  Operating  System 

NRaD 

NCCOSC  RDTE  Division 

NRL 

Naval  Research  Laboratory 

NSA 

National  Security  Agency 

NSWC 

Naval  Surface  Warfare  Center 

OIW 

OSE  Implementors'  Workshop 

OSE 

Open  Systems  Environment 

OSI 

Open  Systems  Interconnection 

OSI  RM 

OSI  Reference  Model 

PCI 

Protocol  Control  Information 

PCMCIA 

Personal  Computer  Memory  Card  International  Association 

PDU 

Protocol  Data  Unit 

PDS 

Protected  Distribution  System 

PEM 

Privacy  Enhanced  Mail 

PGP 

Pretty  Good  Privacy 

PICS 

Protocol  Implementation  Conformance  Statement 

PSN 

Packet  Switched  Network 

SBIR 

Small  Business  Innovation  Research 

SDE 

Secure  Data  Exchange  Protocol 

SDNS 

Secure  Data  Network  System 

SE 

Service  Element 

SESE 

Security  Exchange  Service  Element 

SILS 

Standard  for  Interoperable  LAN  and  MAN  Security 

SMDS 

Switched  Multimegabit  Data  Service 

SMIB 

Security  Management  Information  Base 

SMP 

Security  Management  Protocol 

SMTP 

Simple  Mail  Transfer  Protocol 

SNMP 

Simple  Network  Management  Protocol 
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SONET  Synchronous  Optical  Network 

SP2L  Security  Protocol  2  for  LANs 

SP3  Security  Protocol  3 

SP4  Security  Protocol  4 

SP7  Security  Protocol  7 

SPAWAR  Space  and  Naval  Warfare  Systems  Command 

TADIXS  Tactical  Data  Information  Exchange  System 

TCP  Transmission  Control  Protocol 

TLSP  Transport  Layer  Security  Protocol 

TPO  Connection  Oriented  Transport  Protocol,  Class  0 

TP1  Connection  Oriented  Transport  Protocol,  Class  1 

TP2  Connection  Oriented  Transport  Protocol,  Class  2 

TP3  Connection  Oriented  Transport  Protocol,  Class  3 

TP4  Connection  Oriented  Transport  Protocol,  Class  4 

UDP  User  Datagram  Protocol 

VLM  NetWare  Virtual  Loadable  Module 

WAN  Wide  Area  Network 
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